Code Red

The Code Red worm is self-replicating malicious code that exploits a known vulnerability in Microsoft IIS servers.  The "Code Red" worm attack proceeds as follows:

• The "Code Red" worm attempts to connect to TCP port 80 on a randomly chosen host assuming that a web server will be found. Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Indexing Service.
• The same exploit (HTTP GET request) is sent to each of the randomly chosen hosts due to the self-propagating nature of the worm. However, depending on the configuration of the host which receives this request, there are varied consequences.
• IIS servers with Indexing service installed will almost certainly be compromised by the "Code Red" worm.
• If the exploit is successful, the worm begins executing on the victim host. In the earlier variant of the worm, victim hosts with a default language of English experienced the following defacement on all pages requested from the server:
  HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
• Servers configured with a language that is not English and those infected with the later variant will not experience any change in the served content. Other worm activity on a compromised machine is time senstive; different activity occurs based on the date (day of the month) of the system clock.
• The infected host will attempt to connect to TCP port 80 of randomly chosen IP addresses in order to further propagate the worm.  Then a packet-flooding denial of service attack will be launched against a particular fixed IP address.  At end of the month: The worm "sleeps"; no active connections or denial of service.